Researchers suspect that the Russian APT Gamaredon threat actor group could fuel a new wave of DDoS attacks. They found that this group has open-sourced the code of a DDoS Trojan program called “LOIC ” to carry out DDoS attacks. During monitoring Gamaredon’s activity researchers also found multiple attack chains including – phishing emails, remote template injection, malicious scripts with self-extracting programs, Wiper payloads, and registry modification for scheduled tasks among others. The malicious code distributed by the APT group includes hardcoded IP addresses and ports for the targets.
The malware samples observed by researchers seem to have been compiled in early March this year – shortly after the Russian invasion of Ukraine had taken place. After the military conflict, a new trend of disruptive attacks is gaining momentum including wiper attacks and DDoS. Ukraine is already facing the brunt of these DDoS attacks; however, they are not the only ones. Recently, the Italian Computer Security Incident Response Team also alerted about the potential risk of DDoS attacks against its national entities.
The Quad nations Australia, the United States, India, and Japan have committed to several initiatives in cybersecurity concerning software, supply chain, and user data during the recent meeting in Tokyo.
The countries’ leaders including US President – Joe Biden, Australian Prime Minister – Anthony Albanese, Indian Prime Minister – Narendra Modi, and Japanese Prime Minister – Fumio Kishida stated in a joint statement, “their renewed commitment to deepening cooperation in addressing some pressing challenges currently facing the Indo-Pacific region.” This includes issues such as the ongoing COVID-19 pandemic, climate change, infrastructure, peace and stability (due to the Ukraine invasion), and cybersecurity.
The White House said, “In an increasingly digital world with sophisticated cyber threats we recognize an urgent need to take a collective approach to enhance cybersecurity. To achieve the Quad Leaders’ vision of a free and open Indo-Pacific, they committed to bolstering defences of critical infrastructure by sharing threat information, identifying and evaluating risks in digital supply chains, and among other cybersecurity initiatives that will have benefits to all users.
The Quad also aims to form a Quad Cybersecurity Partnership. The group will also initiate “capacity building programs” for the region and launch a Quad Cybersecurity Day to “help individual internet users across our nations, the Indo-Pacific region, and beyond to better protect themselves from cyber threats.”
According to a new alert from the FBI, the Russian hacker forums are full of network credentials and virtual private network access of employees from US educational institutions. The agency said these credentials are being advertised widely across hacker forums. Just in May 2021, the FBI found approximately 36,000 email and password combinations for accounts related to domains ending with .edu in public instant messaging platforms used by cybercriminals. The agency suggests most of these credentials are likely acquired by the prevalent attacks on US colleges and universities over the past few years including spear-phishing, ransomware, and other types of cyberattacks. As of January 2022, network credentials for sale or public access have been offered in Russian hacker forums for various US-based educational institutions. The prices of these listings range from anywhere between a few to multiple thousand US dollars.
There have been numerous ransomware incidents reported this year alone where multiple education institutes have been targeted. Often the educational institutions are not entirely transparent about ransomware attacks or data exfiltration, neither they are in a position to fulfill the ransom demand when attacked. The majority of education institutions are still recovering from the COVID-19 pandemic and a ransomware attack during this time may turn out to be a final blow. CTI has already observed, one such incident where a 157-year-old Lincoln College in Illinois had to permanently close down after suffering a ransomware attack.
In a recent patch update the popular open-source content management system (CMS) Strapi fixed two vulnerabilities that could allow attackers to access sensitive data such as email and password reset tokens. While not as well-known as its competitors which include the likes of WordPress or Joomla, Strapi is known for its “headless” capability meaning its front end and back end software run separately and it is being used by the some of the major organizations including IBM, NASA, and Walmart.
According to researchers, the vulnerability details access to sensitive information enables a user to compromise other users’ accounts by successfully invoking the password reset workflow. In a worst-case scenario, a low-privileged user could get access to a “super admin” account with full control over the Strapi instance and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.
The latest release of Strapi CMS accounts for approximately 40,000 weekly downloads on NPM and around 25,000 weekly downloads for its older version. Researchers have found the vulnerabilities in the admin panel and state that an account compromise is fairly easy to perform. While it is unclear how many instances are currently vulnerable but given the patch was made available in recent weeks, researchers presume it is reasonable that not everyone has upgraded yet.
